Important Emoncms security update for multi-user emoncms installations V9.8.11

Tags: #<Tag:0x00007f1c008f47b0>

(Trystan Lea) #1

@Cagabi identified a security hole today in emoncms that affects multi-user installations, resulting from the way input process and virtual feed process list where set. I have since fixed the issue and the fix is now available in the latest stable and master branch of emoncms.


The input processing part of the issue allowed an emoncms user to add a process to an input that referenced a feed of another emoncms user on the same installation allowing both writing and reading of data - but only in realtime, historic data could not be overwritten or read. No meta data feed name, userid etc could be read. This could be achieved with a call to the underlying input set processlist API.

The virtual feed part allowed a user to access the full history of a feed from any other user on the installation by adding the source feed process with the feedid of any feed, which could be done with a call again to the underlying API.

Its worth noting that for emonpi and emonbase installations running emoncms locally with a single emoncms account created (default install) this issue cannot be exploited. Which means this is only an important update if your running a multi-user installation where the potentially exploiting user has an emoncms account.

The input processing part of the issue was present on (which has now been fixed), I ran a script to verify the content of all input process lists on all inputs and did not identify any processlists referencing feeds or inputs from other accounts.


Development: Devices, Inputs and Feeds in emoncms
(Paul) #2

Beware this update may break using the device module unless you change device module branch and flush redis when updating emoncms. (see the Development: Devices, Inputs and Feeds in emoncms thead around 16th Nov for info).

AFAIK this only effects users of the emoncms device module.